2156760 – dnf upgrade fails on RHEL 8.4 E4S when fapolicyd is enabled.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2156760 - dnf upgrade fails on RHEL 8.4 E4S when fapolicyd is enabled.

Summary: dnf upgrade fails on RHEL 8.4 E4S when fapolicyd is enabled.

Keywords:
Status:	CLOSED DUPLICATE of bug 2110787
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	fapolicyd
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Radovan Sroka
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-12-28 15:03 UTC by Ameya Patil
Modified:	2023-02-08 16:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-02-08 16:02:55 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-143314	0	None	None	None	2022-12-28 15:13:28 UTC
Red Hat Issue Tracker	SECENGSP-4935	0	None	None	None	2022-12-28 15:13:31 UTC

Description Ameya Patil 2022-12-28 15:03:25 UTC

Description of problem:

When performing upgrade on a RHEL 8.4 E4S system with fapolicyd service install and enabled causes the upgrade to fail during the yum transaction phase when the fapolicyd scriptlets are run. 

I observed that the fapolicyd service scriptlets are the first thing that run before upgrade of any package and as other packages are start being upgraded in few seconds time the upgrade get stuck and the dnf process cant be stopped or interrupted with CTRL-C at this point.
~~~
# dnf update
Updating Subscription Management repositories.
Last metadata expiration check: 0:09:20 ago on Wed 28 Dec 2022 08:59:03 AM EST.
Dependencies resolved.
===================================================================================================================================
 Package                             Arch   Version                                     Repository                            Size
===================================================================================================================================

[..output skipped..]

 fapolicyd                           x86_64 1.0.2-6.el8_4.2                             rhel-8-for-x86_64-appstream-e4s-rpms 107 k
 fapolicyd-selinux                   noarch 1.0.2-6.el8_4.2                             rhel-8-for-x86_64-appstream-e4s-rpms  25 k

[..output skipped..]

Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Running scriptlet: fapolicyd-1.0.2-6.el8_4.2.x86_64                                                                          1/1 
  Preparing        :                                                                                                           1/1 
  Running scriptlet: bash-4.4.20-2.el8_4.x86_64                                                                                1/1 
  Upgrading        : bash-4.4.20-2.el8_4.x86_64                                                                              1/296 
  Running scriptlet: bash-4.4.20-2.el8_4.x86_64                                                                              1/296 
  Upgrading        : zlib-1.2.11-18.el8_4.x86_64                                                                             2/296 
  Upgrading        : libgcc-8.4.1-1.1.el8_4.x86_64                                                                           3/296 
  Running scriptlet: libgcc-8.4.1-1.1.el8_4.x86_64                                                                           3/296 
  Upgrading        : xz-libs-5.2.4-4.el8_4.x86_64                                                                            4/296 
  Upgrading        : libcom_err-1.45.6-2.el8_4.x86_64                                                                        5/296 
  Running scriptlet: libcom_err-1.45.6-2.el8_4.x86_64                                                                        5/296 
  Upgrading        : libstdc++-8.4.1-1.1.el8_4.x86_64                                                                        6/296 
  Running scriptlet: libstdc++-8.4.1-1.1.el8_4.x86_64                                                                        6/296 
  Upgrading        : grub2-common-1:2.02-99.el8_4.9.noarch                                                                   7/296 
  Upgrading        : chkconfig-1.13-2.el8_4.1.x86_64                                                                         8/296 
  Upgrading        : expat-2.2.5-4.el8_4.4.x86_64                                                                            9/296 
  Upgrading        : perl-libs-4:5.26.3-419.el8_4.1.x86_64 [========================================================     ]  10/296

[..stuck at this point indefinitely..]

  ^C^C^C^C^C^C^C

~~~


We need to login to the system through another terminal and then kill the dnf process using SIGKILL.
The strace of the process seems to suggest that this happened around the installation where fapolicyd seems to trying to add the entry with the checksum of the process to the fapolicyd database.
This results in the system update interrupted and lead to duplicate packages for a few packages which were upgrade before the upgrade get stuck.
~~~
# ps -elf | grep dnf
4 S root        5535    5238 10  80   0 - 206524 -     09:08 pts/0    00:00:21 /usr/libexec/platform-python /usr/bin/dnf update
0 S root        5620    5598  0  80   0 -  3034 -      09:11 pts/1    00:00:00 grep --color=auto dnf


# pstree -slap 5535
systemd,1 --switched-root --system --deserialize 17
  └─sshd,920 -D -oCiphers=aes256-gcm,chacha20-poly1305, [...output skipped...]
      └─sshd,5222
          └─sshd,5237
              └─bash,5238
                  └─dnf,5535 /usr/bin/dnf update


# strace -fTttvyys 4096 -p 5535
strace: Process 5535 attached
09:12:53.979435 write(45</run/fapolicyd/fapolicyd.fifo (deleted)>, "/usr/share/perl5/unicore/lib/Nv/20.pl 854 75d3e8bd0b2587460dac6ae4eac1bfad7bea0b80f38fa0c61bed9eeac2a73c14\n", 107^Cstrace: Process 5535 detached
 <detached ...>
~~~


We don't see any FANOTIFY or any errors in the Fapolicyd process denying any access to particular execution.
Also we I don't think the issue would be with the fapolicy permissions since the issue also occurs even when fapolicyd service is running in permissive mode.
~~~
# ausearch --start today -m fanotify --raw | aureport --file --summary

File Summary Report
===========================
total  file
===========================
<no events of interest were found>
~~~

I see that the daemon got restarted Possibly by the rpm pretransaction scriptlets and the I think this may somehow be contributing to this issue. Because every time I reproduced this the fapolicyd scriptlets are seen running during the start of the transaction after download phase and post few seconds as the system installs a few rpms the system is seen stuck.
~~~
]# systemctl status fapolicyd
● fapolicyd.service - File Access Policy Daemon
   Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-12-28 09:10:09 EST; 8min ago
  Process: 5578 ExecStart=/usr/sbin/fapolicyd (code=exited, status=0/SUCCESS)
 Main PID: 5580 (fapolicyd)
    Tasks: 4 (limit: 4930)
   Memory: 37.2M
   CGroup: /system.slice/fapolicyd.service
           └─5580 /usr/sbin/fapolicyd

Dec 28 09:10:09 rhel8-default.test.local systemd[1]: Started File Access Policy Daemon.
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: fapolicyd integrity is 0
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Loading rpmdb backend
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Checking database
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Importing data from rpmdb backend
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Importing data from file backend
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Entries in DB: 19820
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Loaded from all backends(without duplicates): 19820
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Database checks OK
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Starting to listen for events

~~~

Journal logs doe not show any issue apart from the restart which tool place./
~~~
#  journalctl -b -u fapolicyd
-- Logs begin at Wed 2022-12-28 08:51:33 EST, end at Wed 2022-12-28 09:11:33 EST. --
Dec 28 08:56:44 rhel8-default.test.local systemd[1]: Starting File Access Policy Daemon...
Dec 28 08:56:44 rhel8-default.test.local systemd[1]: fapolicyd.service: Can't open PID file /run/fapolicyd.pid (yet?) after start:>
Dec 28 08:56:44 rhel8-default.test.local fapolicyd[5495]: Initializing the database
Dec 28 08:56:44 rhel8-default.test.local fapolicyd[5495]: Database migration will be performed.
Dec 28 08:56:44 rhel8-default.test.local systemd[1]: Started File Access Policy Daemon.
Dec 28 08:56:44 rhel8-default.test.local fapolicyd[5495]: fapolicyd integrity is 0
Dec 28 08:56:44 rhel8-default.test.local fapolicyd[5495]: Loading rpmdb backend
Dec 28 08:56:45 rhel8-default.test.local fapolicyd[5495]: Creating database
Dec 28 08:56:45 rhel8-default.test.local fapolicyd[5495]: Loading data from rpmdb backend
Dec 28 08:56:45 rhel8-default.test.local fapolicyd[5495]: Loading data from file backend
Dec 28 08:56:45 rhel8-default.test.local fapolicyd[5495]: Starting to listen for events
Dec 28 09:10:08 rhel8-default.test.local fapolicyd[5495]: shutting down...
Dec 28 09:10:08 rhel8-default.test.local systemd[1]: Stopping File Access Policy Daemon...
Dec 28 09:10:09 rhel8-default.test.local systemd[1]: fapolicyd.service: Succeeded.
Dec 28 09:10:09 rhel8-default.test.local systemd[1]: Stopped File Access Policy Daemon.
Dec 28 09:10:09 rhel8-default.test.local systemd[1]: Starting File Access Policy Daemon...
Dec 28 09:10:09 rhel8-default.test.local systemd[1]: fapolicyd.service: Can't open PID file /run/fapolicyd.pid (yet?) after start:>
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Initializing the database
Dec 28 09:10:09 rhel8-default.test.local systemd[1]: Started File Access Policy Daemon.
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: fapolicyd integrity is 0
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Loading rpmdb backend
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Checking database
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Importing data from rpmdb backend
Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Importing data from file backend
~~~

We are able to workaround the issue by disabling fapolicyd temporarily during the upgrade process.



Version-Release number of selected component (if applicable):
When upgrading to since I think the issue might be with the new rpms post transaction scriptlets instead of the existing rpm,
fapolicyd-1.0.2-6.el8_4.2.x86_64
fapolicyd-selinux-1.0.2-6.el8_4.2.x86_64

For reference I had tested this when upgrading from below versions to the above version,
fapolicyd-1.0.2-6.el8.x86_64
fapolicyd-selinux-1.0.2-6.el8.noarch

as well as, from below version to the above listed version
fapolicyd-1.0.2-6.el8_4.1.x86_64
fapolicyd-selinux-1.0.2-6.el8_4.1.x86_64


How reproducible:
Everytime with RHEL 8.4 E4S release fapolicyd


Steps to Reproduce:
1. Install RHEL 8.4 System using ISO and subscribe and enable RHEL 8.4 E4S release

    # subscription-manager register 
    # subscription-manager attach --pool=XXX
    # subscription-manager repos --enable rhel-8-for-x86_64-baseos-e4s-rpms --enable rhel-8-for-x86_64-appstream-e4s-rpms --disable rhel-8-for-x86_64-baseos-rpms --disable rhel-8-for-x86_64-appstream-rpms
    # subscription-manager release --set=8.4

2. Ensure the following fapolicyd rpm are installed and start and enable the fapolicyd service 

    ~~~
    # rpm -qa | grep fapolicy | sort 
    fapolicyd-1.0.2-6.el8.x86_64
    fapolicyd-selinux-1.0.2-6.el8.noarch
    rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64
    ~~~

    # systemctl enable --now fapolicyd
    # systemctl status fapolicyd

3. Perform yum update while the fapolicyd is enabled.

    # dnf update


Actual results:
The dnf transaction get stuck and needs to be killed through another session and system has duplicate packages.


Expected results:
For dnf transaction to complete successfully.


Additional info:
We checked and I did not see this issue does not happens when upgrading to RHEL 8.7(or RHEL 8.6) fapolicyd from RHEL 8.4 version of RPM.

(Upgrade to RHEL 8.6 below, there is no pretransaction script run for fapolicyd)
~~~
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Running scriptlet: filesystem-3.8-6.el8.x86_64                                                                               1/1 
  Preparing        :                                                                                                           1/1 
  Running scriptlet: libgcc-8.5.0-10.1.el8_6.x86_64                                                                            1/1 
  Upgrading        : libgcc-8.5.0-10.1.el8_6.x86_64                                                                          1/606 
  Running scriptlet: libgcc-8.5.0-10.1.el8_6.x86_64                                                                          1/606 
  Upgrading        : filesystem-3.8-6.el8.x86_64                                                                             2/606 
  Upgrading        : python3-pip-wheel-9.0.3-22.el8.noarch                                                                   3/606

[...output skipped...]

  Upgrading        : policycoreutils-python-utils-2.9-19.el8.noarch                                                        220/606 
  Running scriptlet: fapolicyd-selinux-1.1-6.el8_6.1.noarch                                                                221/606 
  Upgrading        : fapolicyd-selinux-1.1-6.el8_6.1.noarch                                                                221/606 
  Running scriptlet: fapolicyd-selinux-1.1-6.el8_6.1.noarch                                                                221/606 
  Running scriptlet: fapolicyd-1.1-6.el8_6.1.x86_64                                                                        222/606 
  Upgrading        : fapolicyd-1.1-6.el8_6.1.x86_64                                                                        222/606 
  Running scriptlet: fapolicyd-1.1-6.el8_6.1.x86_64                                                                        222/606 
  Upgrading        : python3-perf-4.18.0-372.32.1.el8_6.x86_64                                                             223/606

[...output skipped...]

  Running scriptlet: fapolicyd-1.0.2-6.el8.x86_64                                                                          361/606 
  Cleanup          : fapolicyd-1.0.2-6.el8.x86_64                                                                          361/606 
  Running scriptlet: fapolicyd-1.0.2-6.el8.x86_64                                                                          361/606

 [...output skipped...]
~~~

We checked the rpm scriptlets used in RHEL 8.7 (or RHEL 8.6 onward the scriptlets used in fapolicyd version 1.1.+) and found that its quite different from the one used in RHEL 8.4
In RHEL 8.7 rpm there are no pretranscation scriptlets at all and we see that in RHEL 8.4's case the pretransaction is run at the very start of the dnf transaction post which we see this issue with system being stuck.
And hence we suspect that the issue might be with the pretransaction scriptlets.

Comment 1 Dalibor Pospíšil 2023-01-02 14:18:34 UTC

What is the rpm-plugin-fapolicyd package version? Is is planned (by dnf) to be updated at once with fapolicyd or is it at version rpm-plugin-fapolicyd-4.14.3-14.el8_4.3 already?

Basically the same behaviour should be fixed by https://bugzilla.redhat.com/show_bug.cgi?id=2124524 which was delivered by the RHBA-2022:6989-02 on 2022-10-18.

You do not see any FANOTIFY event as the issue is on the rpm side rather than on the fapolicyd side. Basically the rpm should be updated before any other update which causes restart of fapolicyd (might be also systemd update). Unfortunately there's no way for us to ensure it to happen in two independent update cycles. There should be a KB article created for this. I will try to get more information.

Comment 3 Ameya Patil 2023-02-06 21:18:59 UTC

Hi Dalibor,


My apologies for the delay,

I no longer have the original system I did a test on. 
The test I did was on the fresh install of RHEL 8.4 since it was only reproducible on the RHEL 8.4 EUS repositories , I started with RHEL 8.4 fresh system.
The version "rpm-plugin-fapolicyd" package hence came from the RHEL 8.4 ISO - i.e. rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64
I believe there was also an update to rpm-plugin-fapolicyd package in my transaction though I did not note it during that time.

I read the other Bugzilla you referenced - bug#2124524 , the issue referenced there in its parent BZ bug#2110787 , and the issue mentioned there seems to be very similar to the one mentioned here.
However one thing I see is that from my systems state is that I am able to update the same system with intial set of packages to  RHEL 8.7 (or RHEL 8.6 onward the scriptlets used in fapolicyd version 1.1.+) 

Do you mean I should first update the "rpm-plugin-fapolicyd" individually to the newest version from RHEL 8.4 E4S and then try updating the system again on RHEL 8.4 E4S ? Please correct me if I am wrong ?
I will do this test by tomorrow and reply back. 


Thanks,
Ameya

Comment 4 Ameya Patil 2023-02-06 21:25:31 UTC

> The test I did was on the fresh install of RHEL 8.4 since it was only reproducible on the RHEL 8.4 EUS repositories , I started with RHEL 8.4 fresh system.

Correction -  The test I did was on the fresh install of RHEL 8.4 since it was reproducible on the RHEL 8.4 E4S repositories , I started with RHEL 8.4 fresh system.

Comment 5 Dalibor Pospíšil 2023-02-07 11:27:36 UTC

> Do you mean I should first update the "rpm-plugin-fapolicyd" individually to
> the newest version from RHEL 8.4 E4S and then try updating the system again
> on RHEL 8.4 E4S ? Please correct me if I am wrong ?
> I will do this test by tomorrow and reply back. 

Yes please. Unfortunately that's the reality now. There's a clutch between the fapolicyd and the rpm-plugin-fapolicyd. Once the fapolicyd gets restarted during the update, the old rpm plugin still tries to communicate with the previously running fapolicyd instance. Therefore the plugin needs to be updated separately as the updated version takes effect at the start of the next rpm transaction.

Comment 6 Ameya Patil 2023-02-07 22:12:06 UTC

Hi Dalibor,


Thanks a lot for your help with the fix.

I did a test and and can confirm that if I update the "rpm-plugin-fapolicyd" first before the other package the upgrade goes through without errors.
Just to confirm the earlier issue if I am still able to reproduce the original issue I tested that if I do a normal dnf update as per the BZ description, I still see the hang.
While updating the "rpm-plugin-fapolicyd" before the main dnf transaction works without problems.


Notes:

- Initial set of packages on RHEL 8.4 fresh install subscribed to E4S repos yet to be updated.
~~~
# rpm -qa | grep fapolicy | sort 
fapolicyd-1.0.2-6.el8.x86_64
fapolicyd-selinux-1.0.2-6.el8.noarch
rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64
~~~~

- Updated "rpm-plugin-fapolicyd" to the errata version.
~~~
# dnf update rpm-plugin-fapolicyd
Updating Subscription Management repositories.
Last metadata expiration check: 0:01:23 ago on Tue 07 Feb 2023 04:44:50 PM EST.
Dependencies resolved.
====================================================================================================================================================
 Package                                 Architecture        Version                        Repository                                         Size
====================================================================================================================================================
Upgrading:
 python3-rpm                             x86_64              4.14.3-14.el8_4.3              rhel-8-for-x86_64-baseos-e4s-rpms                 158 k
 rpm                                     x86_64              4.14.3-14.el8_4.3              rhel-8-for-x86_64-baseos-e4s-rpms                 542 k
 rpm-build                               x86_64              4.14.3-14.el8_4.3              rhel-8-for-x86_64-appstream-e4s-rpms              173 k
 rpm-build-libs                          x86_64              4.14.3-14.el8_4.3              rhel-8-for-x86_64-baseos-e4s-rpms                 156 k
 rpm-libs                                x86_64              4.14.3-14.el8_4.3              rhel-8-for-x86_64-baseos-e4s-rpms                 340 k
 rpm-plugin-fapolicyd                    x86_64              4.14.3-14.el8_4.3              rhel-8-for-x86_64-appstream-e4s-rpms               78 k
 rpm-plugin-selinux                      x86_64              4.14.3-14.el8_4.3              rhel-8-for-x86_64-baseos-e4s-rpms                  77 k
 rpm-plugin-systemd-inhibit              x86_64              4.14.3-14.el8_4.3              rhel-8-for-x86_64-baseos-e4s-rpms                  78 k

Transaction Summary
====================================================================================================================================================
Upgrade  8 Packages

Total download size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/8): python3-rpm-4.14.3-14.el8_4.3.x86_64.rpm                                                                     182 kB/s | 158 kB     00:00    
(2/8): rpm-4.14.3-14.el8_4.3.x86_64.rpm                                                                             618 kB/s | 542 kB     00:00    
(3/8): rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64.rpm                                                               86 kB/s |  77 kB     00:00    
(4/8): rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.3.x86_64.rpm                                                      219 kB/s |  78 kB     00:00    
(5/8): rpm-libs-4.14.3-14.el8_4.3.x86_64.rpm                                                                        823 kB/s | 340 kB     00:00    
(6/8): rpm-build-libs-4.14.3-14.el8_4.3.x86_64.rpm                                                                  239 kB/s | 156 kB     00:00    
(7/8): rpm-build-4.14.3-14.el8_4.3.x86_64.rpm                                                                       546 kB/s | 173 kB     00:00    
(8/8): rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64.rpm                                                            246 kB/s |  78 kB     00:00    
----------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                               993 kB/s | 1.6 MB     00:01     
warning: /var/cache/dnf/rhel-8-for-x86_64-baseos-e4s-rpms-f4e85a47cfb5562e/packages/rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Red Hat Enterprise Linux 8 for x86_64 - BaseOS - Update Services for SAP Solutions (RPMs)                           4.9 MB/s | 5.0 kB     00:00    
Importing GPG key 0xFD431D51:
 Userid     : "Red Hat, Inc. (release key 2) <security>"
 Fingerprint: 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Key imported successfully
Importing GPG key 0xD4082792:
 Userid     : "Red Hat, Inc. (auxiliary key) <security>"
 Fingerprint: 6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                            1/1 
  Upgrading        : rpm-libs-4.14.3-14.el8_4.3.x86_64                                                                                         1/16 
  Running scriptlet: rpm-libs-4.14.3-14.el8_4.3.x86_64                                                                                         1/16 
  Upgrading        : rpm-4.14.3-14.el8_4.3.x86_64                                                                                              2/16 
  Upgrading        : rpm-build-libs-4.14.3-14.el8_4.3.x86_64                                                                                   3/16 
  Running scriptlet: rpm-build-libs-4.14.3-14.el8_4.3.x86_64                                                                                   3/16 
  Upgrading        : python3-rpm-4.14.3-14.el8_4.3.x86_64                                                                                      4/16 
  Upgrading        : rpm-build-4.14.3-14.el8_4.3.x86_64                                                                                        5/16 
  Upgrading        : rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64                                                                               6/16 
  Upgrading        : rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.3.x86_64                                                                       7/16 
  Upgrading        : rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64                                                                             8/16 
  Cleanup          : python3-rpm-4.14.3-13.el8.x86_64                                                                                          9/16 
  Cleanup          : rpm-build-4.14.3-13.el8.x86_64                                                                                           10/16 
  Cleanup          : rpm-build-libs-4.14.3-13.el8.x86_64                                                                                      11/16 
  Running scriptlet: rpm-build-libs-4.14.3-13.el8.x86_64                                                                                      11/16 
  Cleanup          : rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64                                                                                12/16 
  Cleanup          : rpm-plugin-systemd-inhibit-4.14.3-13.el8.x86_64                                                                          13/16 
  Cleanup          : rpm-plugin-selinux-4.14.3-13.el8.x86_64                                                                                  14/16 
  Cleanup          : rpm-4.14.3-13.el8.x86_64                                                                                                 15/16 
  Cleanup          : rpm-libs-4.14.3-13.el8.x86_64                                                                                            16/16 
  Running scriptlet: rpm-libs-4.14.3-13.el8.x86_64                                                                                            16/16 
  Verifying        : rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64                                                                               1/16 
  Verifying        : rpm-plugin-selinux-4.14.3-13.el8.x86_64                                                                                   2/16 
  Verifying        : python3-rpm-4.14.3-14.el8_4.3.x86_64                                                                                      3/16 
  Verifying        : python3-rpm-4.14.3-13.el8.x86_64                                                                                          4/16 
  Verifying        : rpm-4.14.3-14.el8_4.3.x86_64                                                                                              5/16 
  Verifying        : rpm-4.14.3-13.el8.x86_64                                                                                                  6/16 
  Verifying        : rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.3.x86_64                                                                       7/16 
  Verifying        : rpm-plugin-systemd-inhibit-4.14.3-13.el8.x86_64                                                                           8/16 
  Verifying        : rpm-libs-4.14.3-14.el8_4.3.x86_64                                                                                         9/16 
  Verifying        : rpm-libs-4.14.3-13.el8.x86_64                                                                                            10/16 
  Verifying        : rpm-build-libs-4.14.3-14.el8_4.3.x86_64                                                                                  11/16 
  Verifying        : rpm-build-libs-4.14.3-13.el8.x86_64                                                                                      12/16 
  Verifying        : rpm-build-4.14.3-14.el8_4.3.x86_64                                                                                       13/16 
  Verifying        : rpm-build-4.14.3-13.el8.x86_64                                                                                           14/16 
  Verifying        : rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64                                                                            15/16 
  Verifying        : rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64                                                                                16/16 
Installed products updated.

Upgraded:
  python3-rpm-4.14.3-14.el8_4.3.x86_64         rpm-4.14.3-14.el8_4.3.x86_64                         rpm-build-4.14.3-14.el8_4.3.x86_64            
  rpm-build-libs-4.14.3-14.el8_4.3.x86_64      rpm-libs-4.14.3-14.el8_4.3.x86_64                    rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64 
  rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64  rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.3.x86_64 

Complete!


- Now its updated.
~~~
# rpm -qa | grep fapolicyd | sort
fapolicyd-1.0.2-6.el8.x86_64
fapolicyd-selinux-1.0.2-6.el8.noarch
rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64
~~~


- After this the transaction went through without errors. I see that as you had mentioned , there are "rpm-plugin-fapolicy" message that its waiting for the service connection to resume because the fapolicyd was restarted as part of the update in the fapolicyd scriptlets which it now detects and waits for connecting back to the new process.
~~~
Transaction test succeeded.
Running transaction
  Running scriptlet: fapolicyd-1.0.2-6.el8_4.2.x86_64                                                                                           1/1 
  Preparing        :                                                                                                                            1/1 
  Running scriptlet: bash-4.4.20-2.el8_4.x86_64                                                                                                 1/1 
  Upgrading        : bash-4.4.20-2.el8_4.x86_64                                                                                               1/288 
warning: rpm-plugin-fapolicyd: waiting for the service connection to resume, it can take up to 60 seconds
warning: rpm-plugin-fapolicyd: the service connection has resumed

  Running scriptlet: bash-4.4.20-2.el8_4.x86_64                                                                                               1/288 
  Upgrading        : libgcc-8.4.1-1.1.el8_4.x86_64                                                                                            2/288 
~~~





Thanks,
Ameya

Comment 8 Kyle Walker 2023-02-08 16:02:55 UTC

Closing this as a Duplicate of 2110787.

Note, the solution is available via the 8.4.0 Z-stream releases with the following Errata:

    https://access.redhat.com/errata/RHBA-2022:6989

It still does require the individual package to be updated prior to the rest of the system transaction.

*** This bug has been marked as a duplicate of bug 2110787 ***

Note You need to log in before you can comment on or make changes to this bug.